Reverse Deception: Organized Cyber Threat Counter-Exploitation

Advanced persistent threat (APT) is one of the most common information security terms used today and it is an undeniably real and dangerous menace.

Wikipedia notes that APT’s usually refer to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack.

Every organization of size and scope is a target, and many of the world’s largest firms and governments have been victims. InReverse Deception: Organized Cyber Threat Counter-Exploitation, Dr. Max Kilger and his co-authors provide an effective counterintelligence approach in which to deal with APT. The good news is that the authors provide an effective framework. The bad news is that creating an effective defense is not an easy undertaking.

When it comes to APT, the de facto perpetrator is China. The book shows how to pursue and hopefully prosecute the perpetrator. But that begs the questions, how many firms can realistically defend themselves against an adversary like China, RBN or nation state?

In the introduction, the authors note that deception is about behavior, both induced in the adversary and undertaken by the deceiver to exploit it. To deceive, the authors write, it is not sufficient to induce belief in the adversary; it is necessary also to prepare and execute the exploitation of resultant behavior. Once again, preparation and execution against a nation state is not a small endeavor.

Chapter 1 (available freehere) sets the stage for the rest of the book and provides an overview of the topic and some examples of advanced and persistent threats, including Stuxnet, Operation Aurora, the RBN and more.

Being the biggest of all APT, China takes center stage in chapter 2 – What is Deception? That is nothing new as China has successful used deception for the last 2,000 years. China is referenced heavily in the book due to their extreme confidence and success in executing deception.

Chapter 3 – Cyber Counterintelligence (CI) details how to use CI to find the cyber-adversaries. The chapter provides both the basic investigative and operational techniques and tools, in addition to detailing how to use legal counsel to ensure that what you are doing is legal.

Chapter 5 gets into much more of the details around the legal issues, and what you can and can’t do to your adversary. The chapter provides an excellent overview of how to quantify which persistent threats are the most dangerous. It provides nine areas to rank, in order to use as a metric to weight each and every threat.

By the time the reader gets to chapter 4 on profiling, they will likely be overwhelmed by the amount of work necessary to implement an effective cyber CI program, which is indeed the case. The amount of time to develop an APT program is for the most part unfeasible for most organizations. While the book does not get into the budgetary issues; CIO’s, CISO’s and other IT managers will likely have a difficult time getting any sort of budget to fund an APT program.

Part of the issue is that many firms don’t have an effective IPS in place to they won’t even know they are being attacked. In the majority of cases, the APT intrusion is not even discovered by the firm, rather an outside entity who notifies them. What is worse is the fact that in many cases, APT malware has been on the victim network often for years undetected.

In addition, in the same way in which people who are scammed once are often repeatedly scammed again; companies that are victims of an APT will often be repeat victims since the perpetrators may share that information with others.

A few of the authors have military and law enforcement background, which adds to their expertise and insights.

The book is meant to be used to pursue and prosecute the perpetrators of APT. With the exception of the military and a few Fortune 50 companies, the odds of effectively prosecuting APT perpetrators is quite small. Notwithstanding that difficulty, organizations must understand that they are under attack, and at least have some plan to assess their vulnerabilities.

This book is mainly an introduction to the topic, but does not provide a comprehensive strategy on how to implement an APT program. Such a reference would need to be at least a few times larger than this work.

There is a web site for the book, but it does not really do more than redirect you to Amazon and Barnes and Noble. Matthijs Koot has a detailedreview of the book where he took the time to detail the hyperlinks to source the books web page should have had.

For anyone looking to understand what APT’s are and how to deal with them, the book provides a comprehensive and unparalleled overview of the topic by experts in the field.

If nothing else, the book provides the reader with an appreciation for how dedicated the perpetrators behind APT are. They are smart, sophisticated, have governments and military agencies on their side and they are numerous. One of the many challenges of dealing with the Chinese APT is that China can easily throw tens of thousands of highly-trained and sophisticated attackers at a target in the US, while the target may only be able to muster a few people to provide a cyber-defense.

One of the most important things to take from the book is the third word in the title – organized. Those carrying out APT are highly organized, prepared and meticulous. They often do things in a slow methodical manner to avoid detection. The book provides a detailed methodology to deal with such adversaries.

The downside is that the victim companies themselves lack that organization. Defending against APT requires much more than simply reading this invaluable text. It requires management support, budget, effective tools and a highly trained staff to correctly use those tools. The great advice in the book won’t be of assistance if the team deployed does not know how to correctly use them.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.